Applying network policies to devices based on their current access network

ABSTRACT

Methods and systems are described for managing device access to a particular network from various access networks. One example method includes receiving a message, associated with a source address, from a device over a particular network. A current access network for the device is determined based at least in part on the source address of the message. Based on this determination, a network policy for the particular network is applied to the device.

BACKGROUND

This specification generally relates to describes methods and systemsfor applying network policies to devices based on their current accessnetwork.

In corporate and other networks, user devices may be configured toaccess a network in different ways. For example, devices may receiveconfiguration information when they log on to a network from a centrallocation, or may be initialized with such configuration information atregular intervals. The configuration information may control the networkaccess behavior of the particular device.

SUMMARY

In general, one aspect of the subject matter described in thisspecification may be embodied in systems, and methods performed by dataprocessing apparatuses that include the actions of receiving a messagefrom a device over a network, the message associated with a sourceaddress; determining a current access network for the device based atleast in part on the source address; and applying a network policy tothe device based on the determined current access network.

Details of one or more implementations of the subject matter describedin this specification are set forth in the accompanying drawings and thedescription below. Other features, aspects, and potential advantages ofthe subject matter will become apparent from the description, thedrawings, and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an example environment for applying networkpolicies to devices based on their current access network.

FIG. 2 is a message flow diagram of an example interaction between thecomponents of the example network to apply network policies to devicesbased on their current access network.

FIG. 3 is a flow chart of an example process of applying networkpolicies to devices based on their current access network.

FIG. 4 is a diagram of computing devices that may be used to implementthe systems and methods described herein.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

Network-enabled computing devices may be used to access resources onpublic networks (e.g., the Internet) from different access networks. Forexample, a user may use the same laptop computer to access the Internetwhile connected to a public Wi-Fi network at a coffee shop, a localnetwork operated by the user's employer, a local network operated byanother company (such as a client of the user's employer), a publicnetwork operated by a municipality, or other public or private networks.Each access network may have a different configuration, e.g., differentlevels of security, different bandwidth characteristics, etc. The accessnetworks may also be operated by different entities (e.g., the employer,the coffee shop owner, etc.), meaning that data sent by computingdevices on the network may be subject to monitoring by the entities orother activities that could be problematic for sensitive data sent bycomputing devices connected to the network. For example, if the networkwere operated by a competitor of the user's employer, the employer maynot want sensitive data (or any data) to be sent unencrypted over thenetwork.

Accordingly, the present specification describes techniques for applyingnetwork policies to devices based on their current access network. Oneexample method includes receiving a message from a device over anetwork, the message associated with a source address. A current accessnetwork of the device is then determined based at least in part on thesource address. A network policy is then applied to the device based onthe determined current access network. In some cases, the message isreceived and the current access network determined by a computing device(e.g., a server) at an access network separate from the current accessnetwork of the device.

Implementations according to the present disclosure have severalpotential advantages. First, network behavior of computing devices maybe managed more precisely than with previous techniques. For example, anadministrator may configure a network policy so that certain resources(e.g., R&D servers) cannot be accessed from specific networks, such asthose operated by competitors, or may require strong encryption (e.g.,64-bit or greater) for such access. Such a configuration may lessen thechance that the competitor will be able to eavesdrop on thecommunication and gain access to proprietary information. Further, thepresent techniques may offer greater flexibility than previoustechniques, as the network behavior of the computing devices may bechanged for specific access networks. The present techniques may also bemore reliable than previous techniques, as effectively disguising thesource address of the computing devices (e.g., by a malicious entity) ina way that is undetectable to the server applying the network policiesmay have the effect of disabling the network access of the computingdevice. For example, such a misconfiguration may be detected by thenetwork infrastructure, which may disallow access to the network. Thepresent techniques may also be more easily implemented than otherapproaches, as they follow standard network configuration procedures andgenerally use existing standard protocols.

FIG. 1 is a diagram of an example environment for applying networkpolicies to devices based on their current access network. As shown, theenvironment 100 includes networks 130, 140 connected to public network150 (e.g., the Internet). The networks 130, 140 are used by connecteddevices 132, 142, 144 to access the public network 150. The networkmanagement system 120 is connected to the public network 150. Inoperation, the network management system 120 receives messages from thedevices 132, 142, 144 over the public network 150. The networkmanagement system 120 analyzes the received messages to determine whichof the networks 130, 140 the messages originated from. In some cases,the network management system 120 examines a source address associatedwith the received message to make this determination. This determinationrepresents the current access network of the device that sent themessage. The network management system 120 determines a network policy166 to apply to the device sent the message based on this determinedaccess network. In some cases, the network management system 120 islocated access network separate from the access networks of the devices132, 142, 144. For example, as shown in FIG. 1, the network managementsystem 120 is not directly connected to the network 130 or the network140.

The networks 130, 140 may be private or public networks through whichthe public network 150 can be accessed by connected devices. Forexample, the network 130 may be a local area network provided by aparticular business to which the device 132 is connected. The network130 may include a gateway (not shown) connecting the network 130 to thepublic network 150. Requests for resources on the public network 150 maytraverse this gateway to reach the public network 150. The gateway maycommunicate with the public network 150 on behalf of devices connectedto the network 130. Accordingly, messages originating from the network130 can be identified by a public network address assigned to the owneror operator of the network 130. For example, the company operatingnetwork 130 may be assigned a public IP address range of “1.2.x.x.” Insuch a case, messages originating from the network 130, including thoseoriginally sent by device 132, may have a source address in the range“1.2.x.x.” In some cases, the device 132 and other devices connected tothe network 130 may be assigned an internal IP address for use on thenetwork 130 (e.g., “192.168.x.x.” In such a case, this internal IPaddress will not be used outside of the network 130. The network 130 mayalso assign public IP addresses to each device connected to the network130 (e.g., “1.2.x.x”). In such a case, the source address of messagessent by the device 132 may be this public IP address. The network 130may be a wired or wireless network utilizing one or more networktechnologies, including, but not limited to, ETHERNET, WI-FI, CDMA, LTE,IP, HTTP, TCP, UDP, or other technologies.

The network 140 may be a public or private network operated by adifferent entity than network 130. Network 130 and network 140 representdifferent access networks, as will be described in greater detail below.The public network 150 is a network connecting multiple disparateresources (e.g., servers, networks, etc.). In some cases, the publicnetwork 150 is the Internet.

The network management system 120 may be a server or set of serversconnected to the public network 150 and operable to receive messagesfrom the devices 132, 142, 144. The network management system 120 mayalso be a software application running in a distributed computing or“cloud” environment. The network management system 120 receives messages(e.g., heartbeat messages, proxy automatic configuration (PAC) scriptrequests) from the devices 132, 142, 144 and determines the currentaccess network of each device by analyzing the received messages. Forexample, if the network management system 120 receives a message fromthe device 132 with a source address of “1.2.3.4,” the networkmanagement system 120 may consult the database 160 to determine if thissource address matches an access network 162. Each access network 162 isassociated with an address range 164. Network management system 120 maydetermine that a device is currently at a particular access network 162if the source address of a message received from the device is withinthe address range 164 associated with the particular access network 162.For example, an access network 162 corresponding to the network 130 maybe associated with an address range “1.2.x.x.” The message received fromthe device 132 with the source address of “1.2.3.4” matches this addressrange, and thus the network management system 120 can conclude that thedevice is currently at the access network 162 corresponding to thenetwork 130.

If the network management system 120 determines that a devices is at aparticular access network, the network management system 120 may apply anetwork policy 166 associated with particular access network 162. Forexample, the network management system 120 may send a message to thedevice 132 to configure it according to the network policy 166associated with its current access network 162. In some cases, thenetwork policies 166 may include configuration settings to be applied todevices that the associated access network 162, including, not limitedto, bandwidth limits, access restrictions, encryption requirements, orother settings.

FIG. 2 is a message flow diagram of an example interaction 200 betweenthe components of the example network to apply network policies todevices based on their current access network. At 210, the device 132sends a heartbeat message to the network management system 120 withsource address “1.2.3.4.” In some cases, the device 132 may send othertypes of messages to the network management system 120, including PACscript requests, web requests, configuration requests, authenticationrequests, or other messages.

At 215, the network management system 120 requests the access networkassociated with the source address “1.2.3.4” from the database 160. At220, the database 160 responds with an access network “A.” At 225, thenetwork management system 120 requests a network policy for accessnetwork “A.” At 230, the database 160 returns a network policyassociated with the access network “A.” At 235, the network managementsystem 120 applies the network policy to the device 132. In some cases,applying network policy to the device 132 may include sending messagesto components other than the device 132 (e.g., routers, gateway, policyengines, etc.).

At 240, the device 142 sends a heartbeat message to the networkmanagement system 120 with source address “4.3.2.1.” In some cases, thedevice 142 may send other types of messages to the network managementsystem 120, including PAC script requests, web requests, configurationrequests, authentication requests, or other messages.

At 245, the network management system 120 requests the access networkassociated with the source address “4.3.2.1” from the database 160. At250, the database 160 responds with an access network “B.” At 255, thenetwork management system 120 requests a network policy for accessnetwork “B.” At 260, the database 160 returns a network policyassociated with the access network “B.” At 265, the network managementsystem 120 applies the network policy to the device 142. In some cases,applying network policy to the device 142 may include sending messagesto components other than the device 142 (e.g., routers, gateway, policyengines, etc.).

FIG. 3 is a flow chart of an example process 300 of applying networkpolicies to devices based on their current access network. At 305, amessage is received from a device over a network. The message isassociated with the source address. In some cases, the network overwhich the message is received from the device is the Internet. Thereceived message may include a heartbeat message, a proxy automaticconfiguration (PAC) script request, a configuration request, or othermessages.

At 310, a current access network of the device is determined based atleast in part on the source address. For example, the current accessnetwork may be determined by comparing the source address to an addressrange for a particular access network, as described above.

At 315, a network policies applied to the device based on the determinedcurrent access network. In some cases, the message from the device isreceived by a server at an access network separate from the currentaccess network of the device. Applying the network policy to the devicemay include assigning a maximum bandwidth usage parameter to the device.In some implementations, applying the network policy to the deviceincludes restricting access to one or more network resources. Applyingthe network policy to the device may also include permitting access toone or more network resources.

In some implementations, the process 300 includes identifying one ormore known access networks each identified by a particular sourceaddress range, wherein the known access networks includes the currentaccess network, and wherein determining the current access network ofthe device includes determining that the source address associated withthe received message is included in the particular source address rangeassociated with the current access network. In some cases, theparticular source address range includes a subnet mask. The currentaccess network may include an owner of a particular network associatedwith the current access network.

FIG. 4 is a block diagram of computing devices 400, 450 that may be usedto implement the systems and methods described in this document, aseither a client or as a server or plurality of servers. Computing device400 is intended to represent various forms of digital computers, such aslaptops, desktops, workstations, personal digital assistants, servers,blade servers, mainframes, and other appropriate computers. Computingdevice 450 is intended to represent various forms of mobile devices,such as personal digital assistants, cellular telephones, smartphones,and other similar computing devices. Additionally computing device 400or 450 can include Universal Serial Bus (USB) flash drives. The USBflash drives may store operating systems and other applications. The USBflash drives can include input/output components, such as a wirelesstransmitter or USB connector that may be inserted into a USB port ofanother computing device. The components shown here, their connectionsand relationships, and their functions, are meant to be exemplary only,and are not meant to limit implementations of the inventions describedand/or claimed in this document.

Computing device 400 includes a processor 402, memory 404, a storagedevice 406, a high-speed interface 408 connecting to memory 404 andhigh-speed expansion ports 410, and a low speed interface 412 connectingto low speed bus 414 and storage device 406. Each of the components 402,404, 406, 408, 410, and 412, are interconnected using various busses,and may be mounted on a common motherboard or in other manners asappropriate. The processor 402 can process instructions for executionwithin the computing device 400, including instructions stored in thememory 404 or on the storage device 406 to display graphical informationfor a GUI on an external input/output device, such as display 416coupled to high speed interface 408. In other implementations, multipleprocessors and/or multiple buses may be used, as appropriate, along withmultiple memories and types of memory. Also, multiple computing devices400 may be connected, with each device providing portions of thenecessary operations (e.g., as a server bank, a group of blade servers,or a multi-processor system).

The memory 404 stores information within the computing device 400. Inone implementation, the memory 404 is a volatile memory unit or units.In another implementation, the memory 404 is a non-volatile memory unitor units. The memory 404 may also be another form of computer-readablemedium, such as a magnetic or optical disk.

The storage device 406 is capable of providing mass storage for thecomputing device 400. In one implementation, the storage device 406 maybe or contain a computer-readable medium, such as a floppy disk device,a hard disk device, an optical disk device, or a tape device, a flashmemory or other similar solid state memory device, or an array ofdevices, including devices in a storage area network or otherconfigurations. A computer program product can be tangibly embodied inan information carrier. The computer program product may also containinstructions that, when executed, perform one or more methods, such asthose described above. The information carrier is a computer- ormachine-readable medium, such as the memory 404, the storage device 406,or memory on processor 402.

The high speed controller 408 manages bandwidth-intensive operations forthe computing device 400, while the low speed controller 412 manageslower bandwidth-intensive operations. Such allocation of functions isexemplary only. In one implementation, the high-speed controller 408 iscoupled to memory 404, display 416 (e.g., through a graphics processoror accelerator), and to high-speed expansion ports 410, which may acceptvarious expansion cards (not shown). In the implementation, low-speedcontroller 412 is coupled to storage device 406 and low-speed expansionport 414. The low-speed expansion port, which may include variouscommunication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet)may be coupled to one or more input/output devices, such as a keyboard,a pointing device, a scanner, or a networking device such as a switch orrouter, e.g., through a network adapter.

The computing device 400 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as astandard server 420, or multiple times in a group of such servers. Itmay also be implemented as part of a rack server system 424. Inaddition, it may be implemented in a personal computer such as a laptopcomputer 422. Alternatively, components from computing device 400 may becombined with other components in a mobile device (not shown), such asdevice 450. Each of such devices may contain one or more of computingdevice 400, 450, and an entire system may be made up of multiplecomputing devices 400, 450 communicating with each other.

Computing device 450 includes a processor 452, memory 464, aninput/output device such as a display 454, a communication interface466, and a transceiver 468, among other components. The device 450 mayalso be provided with a storage device, such as a microdrive or otherdevice, to provide additional storage. Each of the components 450, 452,464, 454, 466, and 468, are interconnected using various buses, andseveral of the components may be mounted on a common motherboard or inother manners as appropriate.

The processor 452 can execute instructions within the computing device450, including instructions stored in the memory 464. The processor maybe implemented as a chipset of chips that include separate and multipleanalog and digital processors. Additionally, the processor may beimplemented using any of a number of architectures. For example, theprocessor 452 may be a CISC (Complex Instruction Set Computers)processor, a RISC (Reduced Instruction Set Computer) processor, or anMISC (Minimal Instruction Set Computer) processor. The processor mayprovide, for example, for coordination of the other components of thedevice 450, such as control of user interfaces, applications run bydevice 450, and wireless communication by device 450.

Processor 452 may communicate with a user through control interface 458and display interface 456 coupled to a display 454. The display 454 maybe, for example, a TFT (Thin-Film-Transistor Liquid Crystal Display)display or an OLED (Organic Light Emitting Diode) display, or otherappropriate display technology. The display interface 456 may compriseappropriate circuitry for driving the display 454 to present graphicaland other information to a user. The control interface 458 may receivecommands from a user and convert them for submission to the processor452. In addition, an external interface 462 may be provided incommunication with processor 452, so as to enable near areacommunication of device 450 with other devices. External interface 462may provide, for example, for wired communication in someimplementations, or for wireless communication in other implementations,and multiple interfaces may also be used.

The memory 464 stores information within the computing device 450. Thememory 464 can be implemented as one or more of a computer-readablemedium or media, a volatile memory unit or units, or a non-volatilememory unit or units. Expansion memory 474 may also be provided andconnected to device 450 through expansion interface 472, which mayinclude, for example, a SIMM (Single In Line Memory Module) cardinterface. Such expansion memory 474 may provide extra storage space fordevice 450, or may also store applications or other information fordevice 450. Specifically, expansion memory 474 may include instructionsto carry out or supplement the processes described above, and mayinclude secure information also. Thus, for example, expansion memory 474may be provided as a security module for device 450, and may beprogrammed with instructions that permit secure use of device 450. Inaddition, secure applications may be provided via the SIMM cards, alongwith additional information, such as placing identifying information onthe SIMM card in a non-hackable manner.

The memory may include, for example, flash memory and/or NVRAM memory,as discussed below. In one implementation, a computer program product istangibly embodied in an information carrier. The computer programproduct contains instructions that, when executed, perform one or moremethods, such as those described above. The information carrier is acomputer- or machine-readable medium, such as the memory 464, expansionmemory 474, or memory on processor 452 that may be received, forexample, over transceiver 468 or external interface 462.

Device 450 may communicate wirelessly through communication interface466, which may include digital signal processing circuitry wherenecessary. Communication interface 466 may provide for communicationsunder various modes or protocols, such as GSM voice calls, SMS, EMS, orMMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others.Such communication may occur, for example, through radio-frequencytransceiver 468. In addition, short-range communication may occur, suchas using a Bluetooth, WiFi, or other such transceiver (not shown). Inaddition, GPS (Global Positioning System) receiver module 470 mayprovide additional navigation- and location-related wireless data todevice 450, which may be used as appropriate by applications running ondevice 450.

Device 450 may also communicate audibly using audio codec 460, which mayreceive spoken information from a user and convert it to usable digitalinformation. Audio codec 460 may likewise generate audible sound for auser, such as through a speaker, e.g., in a handset of device 450. Suchsound may include sound from voice telephone calls, may include recordedsound (e.g., voice messages, music files, etc.) and may also includesound generated by applications operating on device 450.

The computing device 450 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as acellular telephone 480. It may also be implemented as part of asmartphone 482, personal digital assistant, or other similar mobiledevice.

Various implementations of the systems and techniques described here canbe realized in digital electronic circuitry, integrated circuitry,specially designed ASICs (application specific integrated circuits),computer hardware, firmware, software, and/or combinations thereof.These various implementations can include implementation in one or morecomputer programs that are executable and/or interpretable on aprogrammable system including at least one programmable processor, whichmay be special or general purpose, coupled to receive data andinstructions from, and to transmit data and instructions to, a storagesystem, at least one input device, and at least one output device.

These computer programs (also known as programs, software, softwareapplications or code) include machine instructions for a programmableprocessor, and can be implemented in a high-level procedural and/orobject-oriented programming language, and/or in assembly/machinelanguage. As used herein, the terms “machine-readable medium” and“computer-readable medium” refer to any computer program product,apparatus and/or device (e.g., magnetic discs, optical disks, memory,Programmable Logic Devices (PLDs)) used to provide machine instructionsand/or data to a programmable processor, including a machine-readablemedium that receives machine instructions as a machine-readable signal.The term “machine-readable signal” refers to any signal used to providemachine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniquesdescribed here can be implemented on a computer having a display device(e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor)for displaying information to the user and a keyboard and a pointingdevice (e.g., a mouse or a trackball) by which the user can provideinput to the computer. Other kinds of devices can be used to provide forinteraction with a user, as well; for example, feedback provided to theuser can be any form of sensory feedback (e.g., visual feedback,auditory feedback, or tactile feedback); and input from the user can bereceived in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in acomputing system that includes a back-end component (e.g., as a dataserver), or that includes a middleware component (e.g., an applicationserver), or that includes a front end component (e.g., a client computerhaving a graphical user interface or a Web browser through which a usercan interact with an implementation of the systems and techniquesdescribed here), or any combination of such back end, middleware, orfront-end components. The components of the system can be interconnectedby any form or medium of digital data communication (e.g., acommunication network). Examples of communication networks include alocal area network (“LAN”), a wide area network (“WAN”), peer-to-peernetworks (having ad-hoc or static members), grid computinginfrastructures, and the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

Although a few implementations have been described in detail above,other modifications are possible. In addition, the logic flows depictedin the figures do not require the particular order shown, or sequentialorder, to achieve desirable results. Other steps may be provided, orsteps may be eliminated, from the described flows, and other componentsmay be added to, or removed from, the described systems. Accordingly,other implementations are within the scope of the following claims.

1. A computer-implemented method executed by one or more processors forapplying network policies to devices based on their current accessnetwork, the method comprising: receiving a message from a device over aparticular network, the message associated with a source address;determining a current access network for the device based at least inpart on the source address, wherein the current access network isexternal to the particular network, and the message received from thedevice on the particular network is transmitted by the device over thecurrent access network; and applying a network policy for the particularnetwork to the device based on the determined current access network. 2.The method of claim 1, wherein the message from the device is receivedby a server at an access network separate from the current accessnetwork of the device.
 3. The method of claim 1, wherein the networkover which the message is received from the device is the Internet. 4.The method of claim 1, further comprising identifying one or more knownaccess networks each identified by a particular source address range,wherein the known access networks includes the current access network,and wherein determining the current access network of the deviceincludes determining that the source address associated with thereceived message is included in the particular source address rangeassociated with the current access network.
 5. The method of claim 4,wherein the particular source address range includes a subnet mask. 6.The method of claim 1, wherein the current access network is associatedwith a network provider that operates the current access network.
 7. Themethod of claim 1, wherein assigning the network policy to the deviceincludes assigning a maximum bandwidth usage parameter to the device. 8.The method of claim 1, wherein assigning the network policy to thedevice includes restricting access to one or more network resources. 9.The method of claim 1, wherein assigning the network policy to thedevice includes permitting access to one or more network resources. 10.The method of claim 1, wherein the received message is a heartbeatmessage.
 11. The method of claim 1, wherein the received message is arequest for a proxy automatic configuration (PAC) script.
 12. Anon-transitory, computer-readable medium storing instructions operablewhen executed to cause at least one processor to perform operationscomprising: receiving a message from a device over a particular network,the message associated with a source address; determining a currentaccess network for the device based at least in part on the sourceaddress, wherein the current access network is external to theparticular network, and the message received from the device on theparticular network is transmitted by the device over the current accessnetwork; and applying a network policy for the particular network to thedevice based on the determined current access network.
 13. Thecomputer-readable medium of claim 12, wherein the message from thedevice is received by a server at an access network separate from thecurrent access network of the device.
 14. The computer-readable mediumof claim 12, wherein the network over which the message is received fromthe device is the Internet.
 15. The computer-readable medium of claim12, further comprising identifying one or more known access networkseach identified by a particular source address range, wherein the knownaccess networks includes the current access network, and whereindetermining the current access network of the device includesdetermining that the source address associated with the received messageis included in the particular source address range associated with thecurrent access network.
 16. The computer-readable medium of claim 15,wherein the particular source address range includes a subnet mask. 17.The computer-readable medium of claim 12, wherein the current accessnetwork is associated with a network provider that operates the currentaccess network.
 18. The computer-readable medium of claim 12, whereinassigning the network policy to the device includes assigning a maximumbandwidth usage parameter to the device.
 19. The computer-readablemedium of claim 12, wherein assigning the network policy to the deviceincludes restricting access to one or more network resources.
 20. Asystem for applying network policies to devices based on their currentaccess network comprising: memory for storing data; and one or moreprocessors operable to perform operations comprising: receiving amessage from a device over a particular network, the message associatedwith a source address; determining a current access network for thedevice based at least in part on the source address, wherein the currentaccess network is external to the particular network, and the messagereceived from the device on the particular network is transmitted by thedevice over the current access network; and applying a network policyfor the particular network to the device based on the determined currentaccess network.